CVE-2026-1778

MEDIUM

Amazon SageMaker <v3.1.1,v2.256.0 - Info Disclosure

Title source: llm

Description

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.

References (4)

[Various Sources] https://aws.amazon.com/security/security-bulletins/2026-004-AWS/

[Vendor Advisory] https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543

[Release Notes] https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1

[Release Notes] https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0

Scores

CVSS v3 5.9

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (3)

AWS/SageMaker Python SDK 2.256.0

AWS/SageMaker Python SDK 3.1.1

pypi/sagemaker 3.0 - 3.1.1PyPI

Published Feb 02, 2026

Tracked Since Feb 18, 2026